Partners

It can happen to you! | Social Engineering in Finance

Blog about Social Engineering in Finance – by Etienne Verhasselt, Senior Account Manager at ZIONSECURITY, partner of SecureLink

Phishing, spoofing, dumpster diving, shoulder surfing, role play… You name it! Many companies think they have the right technology in place to face these social engineering attacks. But, guess what…
It can happen to you too! One single inattentive End User can cause a data leak and ruin your systems and reputation. We’ve been doing ethical hacking for 20 years now. And, we’ve put it to the test. Let me share some true stories with you.

Plenty of Finance Phish in the Sea

In general, the Finance Industry is strongly focused on IT security. So, you wouldn’t consider them easy victims, would you? Especially not the management. One of the biggest financial institutions in Belgium asked us to put this to the test. We were asked to target 10 of their TOP managers through phishing.

What did we do? You always need some form of preparation. In this case, we could find all we needed through a simple internet search. We were able to find information about their hobbies, interests, cities, family situations, literary interests, club lives and more. This is the perfect sort of info we can use to create the perfect personalized phishing email.

Phishing emails that contained messages such as:

“You participated in golf tournament X, thanks to [NAME EMPLOYER] you can now participate in … for free.”

“Your subscription to the Harvest Business Review is about to expire. Renew your registration.”

Curious about the results?

Well, those who think board members would know better, are wrong. 60% gave up their credentials. Afterwards, we gave a presentation to the management team and they were stunned.

Not all social engineering is done behind a screen

The personal information we got, was found on the internet. But this doesn’t always have to be the case. Just some other short examples:

We asked a visitor badge at the reception and we were able to walk around in the building for three weeks. We were able to take pictures of the computer of the general manager and we were able to steal copies of sensitive information. Just looking over someone’s shoulder can be interesting too. By the way, you would be surprised about what we, or the cleaning staff, can find in the dustbins…

When things become urgent, people tend to give away much more information than they should. “You can give me your username and password so I can immediately help you out”.

Don’t just think that the stranger at the coffee machine, the new supplier or that new guy in the lunch room is who you think he is. He/She could be asking you about your hobbies, role, and position within the business for a lot of reasons.

The events I mentioned above are just real-life examples of how easy it is to get access to sensitive data. And this is just the beginning. If this data gets into the wrong hands, the impact can be immense and some real damage can be done. It is therefore very important to train your End Users to be aware of the dangers of social engineering and the potential impact it can have on their company.

SecureLink Belgium, together with ZIONSECURITY offers an interactive End User Security Training Program which can include:

Social Engineering in Healthcare institutions

Our team of specialists was asked to perform some acts of social engineering in Begian healthcare institutions to test how their End Users would react. Discover what we did and what we were able to achieve.